Where are the trusted security advisors?

Today's security industry reflects the turmoil of online commerce. Consider the obstacles facing security product and service vendors: rapidly evolving operating system vulnerabilities, software applications being released without benefit of security reviews, and a scarcity of trained and experienced security practitioners.

Today's security industry reflects the turmoil of online commerce. Consider the obstacles facing security product and service vendors: rapidly evolving operating system vulnerabilities, software applications being released without benefit of security reviews, and a scarcity of trained and experienced security practitioners.

In response, a new security marketplace has replaced what was once an obscure but necessary corporate task. Welcome the 2001 security advisors: information assurance vendors staffed with experts dedicated to corporate protection, and available for consultation regarding not only their commercial offerings, but any protection issues facing your firm. Your staff is reaching a defensive state where they can't know it all, so the vendors that supply your firm's protection infrastructure must become trusted advisors.

Where negligible funding was available for security firms less than two years ago, copious funds now flow from venture capital and new security product sales. IDC, a high tech industry analysis firm, just issued a security services forecast for the second largest global market: Western Europe. According to IDC, e-security services exceeded $1.5 billion in 2000 and will reach $4 billion dollars in Western Europe by 2004. The story in the number one security market, North America, is similar, with high dollar growth projected in the next few years.

The most recent wave of security vendor startups coincided with the rise of communications, e-commerce, and transactional traffic on the Internet. Since few long-established security vendors had the responsiveness and innovation to keep up in this fast-moving market, less well-known vendors began releasing more innovative and comprehensive security products and services. Many security firms measure their histories in months rather than versions.

Is the age of an advisory firm a make-or-break criterion? No, it's only one of the factors you should look at to choose who should become your trusted security advisor. It's ironic that trust is a rare commodity in an industry that focuses on verification and non-repudiation, but in fact trusted security advisors are difficult to find, and even more difficult to retain.

If you need a security advisor, consider the following criteria. Ultimately, these factors will determine a vendor's trustworthiness and long-term survival--both crucial to your long-term support. The factors below are listed in order of priority.

  1. Vendor leadership. Leadership may come from many places within a vendor's organization, including technology, marketing, management, and operations. But ultimately, senior management has the largest effect on whether a security vendor succeeds or fails. While the management's credentials may appear impressive, these executives' ability to take action in the right directions, at the right times, in the right markets, with the right technologies will determine the firm's ultimate success.

  2. Communication. If a vendor cannot effectively communicate with both current and potential customers, it will likely not survive the coming security vendor shakeout (and there will be one).

  3. Business model. Security vendors, particularly in today's market, tend to focus on specific technologies and target precise market segments. Be wary if a vendor's market strategy is vague or unfocused, if their products are diverse, or if its development road map (i.e., future product/service development plans) is uncertain.

  4. Technology. First, look for effective protection and functional flexibility when selecting a security vendor. Then focus on necessary underlying features, including interoperability, cross-platform interfaces, adherence to standards, dedication to continual upgrading to maintain protection, ease of installation, infrastructure integration, and central administration. Also consider risk mitigation, return on investment, and operational cost savings.

  5. Number of employees. The number of full-time employees normally dictates operational and service limitations. If a substantial percentage of the staff is contract or part-time, you may question the firm's consistency and competency. Look for obvious imbalances. If 80 percent of staffers are software engineers, beware of potential marketing and communication weaknesses. Firms with a majority of staff in marketing and sales may lack technology quality. If a firm is operating with less than 40 employees and offers a broad range of products and future plans, it may not be viable or trustworthy.

  6. Operational funding. Since the security market is hot right now and the dot.com venture capital funding bubble has burst, security startups with great technology potential are attracting waves of venture capital. All well and good, but money quickly disappears when business models falter and revenues fall short of expectations.

  7. Vendor start-up date. Find out how long the vendor has been incorporated or otherwise registered, if not operational. While longevity is a good indication of in-depth expertise, in this field it also can represent excess baggage if the parent company's priorities and operating perspectives overwhelm the ability to change quickly.

The preeminent criterion for choosing trusted security partners is not technology, although in this arena protection must be continually effective and constantly updated. Nor is it the business model, funding, or communication, though all are important. Ultimately, executive quality and the staff these executives acquire, inspire, and direct will be your best protection in the future.

Dr. Goslar is principal security analyst and founder of E-PHD, LLC - a security industry research and analysis firm. A cyber-investigator and former law enforcement software engineering officer, he can be reached at Comments@E-PHD.COM.